On August 11, 2023 the President of India, Droupadi Murmu signed into law the Digital Personal Data Protection, 2023 — India’s data protection law that has been several years in the making. While the Minister for Information Technology called it an “important milestone in the global standard cyber law framework,” and Meta’s India head called it a “great step in balancing user protection with innovation,” civil society organisations are less happy about the final shape of the bill. To understand the divergence in the reactions, it’s necessary to go back to the circumstances that led up to the bill in the present shape.
Aadhaar — the seed
The conversation about data protection in India only picked up steam in the middle of the last decade in the context of the Aadhaar — a biometric identification tool developed by the government, and first launched in 2009. While the initial stated use of the Aadhaar was to give a unique ID to every resident of India to be able to access welfare schemes, its use started to be mandated in everything from school admission to tax filing. This prompted fears that the government was putting in place a wider surveillance system that would track every resident. In addition, much of the expansion of the use of the Aadhaar happened before a law governing its use and protecting the data collected by it was put in place.
Even after an Aadhaar law was passed in 2016 (permitting the mandatory use of Aadhaar), a series of constitutional and legal challenges were made to the widespread mandatory requirement of the Aadhaar in India’s constitutional courts. The primary ground of challenge was that the Aadhaar was a violation of the constitutionally protected right to privacy, while the government contended that the constitution guarantees no such right since it is not listed in the fundamental rights chapter of the constitution.
Ultimately, in 2017, a nine-judge bench of the Supreme Court held that there was indeed a right to privacy guaranteed under the constitution, one facet of which was “informational privacy,” which could be claimed against both the government and private entities. The court acknowledged that this right could be restricted for certain legitimate purposes as long as such restrictions were imposed by law and proportionate. The court also noted that, in the digital age, a general data protection law (separate from the Aadhaar Act) was the need of the hour.
A special committee to draft the law
In response to the court’s observation, the government set up a committee in 2017, headed by B.N. Srikrishna, a retired judge of the Supreme Court of India, to come up with a draft law for data protection in India. The committee’s report, submitted in 2018, included a draft data protection law that outlined the legal and regulatory framework that would govern data protection in India and transfers of data outside India.
While the government largely accepted the recommendations of the committee, it introduced a draft of the data protection law in December 2019 that was different from the committee’s recommendations in several respects, most notably in the kinds of exemptions that the government would get from this law. The draft bill was sent for one more round of discussion and debate in the Joint Parliamentary Committee (comprising select members of both houses of India’s parliament tasked with a more detailed study of the bill) after which one more draft of the data protection law was introduced in parliament with further changes in 2021. This draft was also met with criticism from civil society for caring very little about privacy and much more about enabling state surveillance, and from Big Tech over provisions mandating local storage of data.
However, in August 2022, this draft law was abruptly withdrawn from parliament by the government, with the promise of a brand new law being introduced in a month. The new bill, the fourth version of the data protection law, is the one which has finally been passed as the DPDP Act.
In the end, did India get a good data protection law?
On a plain reading, the DPDP Act seems to have its merits. It mandates that “data fiduciaries” (those who collect and process data from individuals) take consent after giving notice before using the digital personal data of a “data principal” (individual whose data is being collected) and requires such consent to be “free, specific, informed, unconditional and unambiguous.” It lists four rights of data principals, including the right to be granted erasure of data and seek grievance redressal, and imposes obligations on data fiduciaries.
However, that is pretty much where the good news about the bill stops.
The DPDP Act suffers from two very large failings: the absence of a strong regulator and the government’s wide powers to exempt itself from the provisions of the law. While the DPDP lays out the rights of data principals and the duties of data fiduciaries, it leaves the enforcement of these rights and duties to the individual affected. Unlike draft versions of the law that envisaged a data regulator (a Data Protection Authority of India), the present version provides for a largely toothless body — the Data Protection Board (DPB) — that has no powers to make regulations governing the collection and use of data by Big Tech or enforce the mandate of the law on the companies. At best, it can hear complaints from data principals, but has little power to enforce its own orders or directions against a big tech company. Big tech companies are hardly going to spend sleepless nights over any action by this toothless, de-clawed DPB.
The DPB is also appointed and staffed only by appointees of the government with no input from anyone outside the government on who should be appointed. This gives the government the power to decide what the qualifications of a person appointed should be, and how they will be appointed, essentially preventing the DPB from being an independent body.
This brings us to the other big problem with the law: its complete inability to provide anything like a check on mass surveillance. While the previous versions of the data protection law have been criticised for not doing enough, the DPDP Act gives the government the power to grant blanket exemptions to any government, government body or state instrumentality (including public sector enterprises, government controlled bodies, and similar entities) in the “interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these.” Such a wide power is unrestrained either procedurally or substantively.
The DPDP Act, in its present shape and form, is hardly adequate to protect the informational privacy of data principals either from Big Tech or from the state. As a nation with a liberal constitution, long history of democratic rule and a large population of online users, India had the opportunity to lead the conversation on data protection into new frontiers, especially for the Global South. Needless to say, it missed the opportunity to do so quite spectacularly.
Disclaimers: Alok Prasanna Kumar is a co-founder of the Vidhi Centre for Legal Policy. Vidhi has assisted the government in drafting the Aadhaar Act and the Justice B.N. Srikrishna Committee in preparing its report. He is also a lawyer who practised in the Supreme Court and appeared on behalf of the Union Government in the initial stages of the Aadhaar litigation.